Data Issues Roundup - 2 August 2016

Included in this issue: Protecting yourself when using the Internet of Things; EU data protection watchdogs will not challenge EU-US Privacy Shield (yet); European regulators publish opinions on the E-privacy Directive

UNITED KINGDOM

Protecting yourself when using the Internet of Things

The Information Commissioner's Officer (ICO) has released guidance on its blog about how members of the public should protect themselves when using the Internet of Things (IoT). The IoT refers to the introduction of 'smart' devices, who have the ability to connect to one another.

The ICO highlights that household user devices that have access to the internet such as security cameras, home security systems and wireless music systems, present a potential data security risk if they are not properly protected with adequate forms of security. The ICO flags that this could leave people vulnerable to theft of personal data, and offences such as identity fraud. The ICO is collaborating with manufacturers to see what they can do to incorporate security measures, but it flags that members of the public should take steps to protect themselves too. Such steps include: researching the security of products before buying; ensuring that a secure router is used (which is password protected with a unique password – not the default); and, taking time to work through the set up processes for devices.

In a world where everything can be controlled from your phone, it is important to be aware of the kind of information you are sharing online, over wi-fi networks and whether this information can be easily obtained by a third party. With the rise in the IoT, the IoT Security Foundation was established, which is formed of 30 organisations, who like the ICO have concerns around the security and privacy of the IoT.

EUROPE

The Article 29 Working Party (WP29) has released a statement on the EU-US Privacy Shield (Privacy Shield) adequacy decision, which was adopted by the EU Commission on 12 July 2016.

Overall, the WP29 welcomes the final changes made to the Privacy Shield and commended the efforts of the EU Commission and the US authorities for taking measures to address its concerns. However, it flags that a number of concerns are still outstanding. For example: there is a lack of specific rules relating to automated decision making and a general right to object; it is unclear how the provisions will apply to data processors; and, stricter assurances are desirable in relation to the independence of the US ombudsman and the US's commitment to refrain from mass collection of EU citizens' data. WP29 requested that the Privacy Shield be reviewed post General Data Protection Regulation (GDPR) in order for rights that are equivalent under this to be incorporated into the Privacy Shield going forwards.

The WP29 has indicated that it will not challenge the legality of the shield for at least one year – until the first annual review. The first annual review will be a crucial time to access the extent to which the remaining issues have been solved, and ensure that the safeguards under the Privacy Shield are workable and effective in practice.

The terms of the Privacy Shield are expected to be published in the U.S. Federal Register by mid-August 2016, with US companies wishing to sign up to receive EU personal data under the Privacy Shield being able to self-certify with the U.S. Department of Commerce that they will comply with the framework from 1 August 2016. Companies can apply from 1 August and if certified within 2 months of the shield coming into force will have 9 months to ensure compliance into their supplier relationships/ chains.

Regardless of the introduction of the Privacy Shield organisations will still be able to rely on Binding Corporate Rules and the Standard Contractual Clauses (Model Clauses) for transferring data from the EU to the United States. Both these methods have been acknowledged by the European Commission as being valid methods of transferring EU personal data across the Atlantic.

European regulators publish opinions on the E-privacy Directive

The European Data Protection Supervisor (EDPS) and the Article 29 Working Party (WP29) have each published an opinion on the review of the Privacy and Electronic Communications Directive (E-Privacy Directive).

The EDPS is of the view that the a new legislative regime is required to ensure the confidentiality of electronic communications. It flags that such regime should compliment the upcoming General Data Protection Regulation. The EDPS suggests extending the scope of the regime beyond traditional telephone and internet service providers, to cover all "functionality equivalent" services such as messaging in social networks and Voice over IP services. It also advocates increased consent requirements and, amongst other things, suggests that no communications should be tracked or monitored without freely given consent, and that prior consent should be required for all forms of unsolicited emails.

WP29 expresses similar views and it too highlights the importance of extending the regime to cover "functionality equivalent" service providers in the market, as well as increasing the occasions on which data subject consent is required.

Both the opinions largely align with the view of the ICO and it seems likely that the EU Commission will propose some significant change when it publishes new legislative proposals - expected by the end of 2016.